Google has announced several mobile security enhancements, including adding support for the WebAuthn standard for use of the YubiKey.
As part of an adoption of hardware security tokens for Apple devices, users of Google services will now be able to use WebAuthn-approved tokens to securely access accounts.
Users of Apple devices running iOS 13.3 and above will now be able to use YubiKeys on their iPhone and iPad when accessing Google's iOS apps and web services on the Safari browser. Also, hardware-based authentication can be used via the Lightning connector for YubiKey 5Ci, and for near-field communication (NFC) via YubiKey 5 NFC and Security Key NFC.
For individuals with YubiKey models that may not be NFC enabled, it is also possible to use the Apple Lightning to USB Camera Adapter. This enablement will also allow Google accounts to be protected, including for Meet and YouTube.
Ashton Tupper, director of Global communications at Yubico, said: “Many individuals and organizations around the world rely on Google products to power their day-to-day applications and communications, and provide fast and simple logins into many other web-based services. Now, this new functionality on iOS opens the door to every single Google user, to heighten their mobile security with increased YubiKey options.”
Christiaan Brand, product manager for Google Cloud, said this capability will simplify the security key experience on compatible iOS devices, and allows users to use more types of security keys for their Google Account and the Advanced Protection Program.
“We highly recommend users at a higher risk of targeted attacks to get security keys (such as Titan Security Key or your Android or iOS phone) and enroll into the Advanced Protection Program,” Brand said. “If you’re working for political committees in the United States, you may be eligible to request free Titan Security Keys through the Defending Digital Campaigns to get help enrolling into Advanced Protection.”
In an email to Infosecurity, analyst Alan Goode from Goode Intelligence said FIDO U2F security keys, including the YubiKey and Google’s own Titan keys, have been successfully deployed within enterprises and with individual users who want a secure method to authenticate, and have proved effective against phishing attacks.
He added: “Its always been a bit of conundrum in how to effectively provide 2FA/MFA for mobile services when you are using the mobile as an authenticator. These security keys allow 2FA for accessing Google services on mobile devices and now support both Android and iOS devices. Late last year (December 2019), Apple announced support for WebAuthn on Safari and this was a big deal in allowing support for FIDO for web-based services and was a precursor for this announcement.”